Image generated by AI
TLDR
- What: TokenWall is a local, hierarchical runtime firewall that intercepts and semantically audits natural-language "token flows" (context, authority, and capability transitions) in persistent AI agents before state mutation occurs.
- Who's at risk: Long-lived, persistent AI agents (e.g., OpenClaw personal assistants or other persistent multi-turn agent systems) with access to long-term state, memory, external APIs, and tools.
- Key number: TokenWall reduces overall case-level Attack Success Rate (ASR) to 12.5% (compared to 14.7% for the strongest baseline, ClawKeeper) while maintaining a 97.4% benign execution pass rate and introducing only 0.69 seconds of additional latency on benign cases.
TokenWall: Semantic Runtime Auditing and Token-Flow Firewalls for Persistent AI Agents
As LLM agents transition from transient, single-turn chatbots into persistent, autonomous systems operating in the wild—such as OpenClaw personal assistants—they face a massive new attack surface. Unlike transient sessions where a prompt injection is forgotten in the next turn, persistent agents commit malicious payloads directly into long-term memory, custom skills, or tool-mediated state transitions, leading to compounding, hard-to-revert exploits.
TokenWall addresses this vulnerability by acting as a local, boundary-aware semantic firewall that intercepts "token flows" immediately before they mutate agent state or execute dangerous actions.
Threat Model
| Dimension | Description |
|---|---|
| Attacker | An indirect prompt injector or malicious third-party (e.g., via contaminated web pages, emails, shared files, or tool outputs) with knowledge of the agent's public system design but no host-level execution access. |
| Victim | Persistent, long-lived autonomous AI agents managing memory, external tools, identity policies, and cross-session state. |
| Goal | Context manipulation (injecting malicious instructions), Authority manipulation (identity/session drift, privilege escalation), or Capability exploitation (unauthorized tool execution, file deletion, data exfiltration). |
| Budget | Black-box access; injecting malicious natural language payloads into external resources or user input channels. |
Background & Problem Setup
Unlike static software systems, persistent AI agents change their future behavior dynamically based on natural-language inputs. This makes standard runtime defense mechanisms like static analysis, post-hoc logging, or basic input-blocking guardrails highly ineffective.
Comparison of Runtime Defenses
| Defense Paradigm | Key Implementations | Operational Phase | Primary Failure Mode |
|---|---|---|---|
| Static Heuristics & Policy Guards | OpenGuardrails, ClawSec, SecureClaw | Input/Output Boundaries | Fail to capture implicit semantic threats (e.g., memory poisoning or delayed tool misuse). |
| Remote LLM Auditing | ClawKeeper, AgentWard | Post-action / Execution Traces | High computational/latency cost; requires sending sensitive agent context to remote models, raising privacy and deployment concerns. |
| Token-Flow Firewall | TokenWall (This Paper) | Pre-effect Boundary (Pre-execution) | Intercepts at the exact boundary of state mutation, utilizing a lightweight local model with selective escalation. |
Methodology
TokenWall models agent execution as a sequence of token flows: where:
- : The payload segmented into semantic spans (e.g., secrets, destinations, instruction clauses).
- : The source and sink of the flow.
- : Runtime metadata (permissions, trust boundaries, channel info).
- : The boundary to be crossed (Context, Authority, or Capability).
TokenWall processes these flows via a three-tier hierarchical enforcement pipeline:
- Lightweight Precheck: A fast, deterministic filter that parses metadata and scans for explicit rule violations (e.g., attempting to write secrets to external webhooks, or accessing private
localhostsubnets). - Local Small Auditor: A local model (Qwen3-4B) that evaluates semantic risk, produces normalized risk/uncertainty scores, and generates "safe rewrites" (redacting or masking unsafe substrings).
- Fallback Arbitration: High-impact or highly ambiguous flows (determined by thresholds shown in Table 5, such as a risk score or uncertainty ) are escalated to a stronger remote arbiter (Qwen3.6-Plus).
def tokenwall_runtime_procedure(f_0):
# Step 1: Precheck
r_p = precheck(f_0)
if r_p.hardBlock:
return enforce_action(r_p, f_0)
# Step 2: Local Small Auditor
r_s = small_audit(f_0, r_p)
f_star = f_0
if r_s.proposes_rewrite:
x_prime = r_s.rewrite
if valid_rewrite(f_0, f_star, x_prime, r_s):
f_star = update_flow(f_star, x_prime)
else:
return fail_closed(f_star, r_s)
# Step 3: Fallback Arbitration (Escalation)
if escalate(f_star, r_p, r_s):
r_l = large_arbitrate(f_0, f_star, r_p, r_s)
f_star = select_flow(f_0, f_star, r_l)
return enforce_action(r_l, f_star)
return enforce_action(r_s, f_star)
Key Results
Defense Performance on CIK-Bench
The authors evaluated TokenWall on CIK-Bench, a benchmark designed for persistent-state and tool-mediated agent attacks. The task model utilized was Gemini 3.1 Pro, with Qwen3-4B serving as the local auditor and Qwen3.6-Plus as the fallback arbiter.
Note on evaluation models: Given the July 2026 preprint timestamp on this paper, the model names (e.g., Qwen3-4B, Qwen3.6-Plus, and GPT-5.5 as the evaluation judge) represent the state-of-the-art suite of their timeline. We must approach these results with the understanding that they are evaluated on these specific model generations.
| Defense Method | Context ASR ↓ | Authority ASR ↓ | Capability ASR ↓ | Overall ASR ↓ | Benign Pass Rate (PR) ↑ | Benign Latency (s/case) ↓ |
|---|---|---|---|---|---|---|
| OpenGuardrails | 41.7% | 46.2% | 50.0% | 45.5% | 100.0% | 0.00 |
| SecureClaw | 25.0% | 42.3% | 76.9% | 45.5% | 94.7% | 3.48 |
| OpenClaw Shield | 19.4% | 19.2% | 84.6% | 38.6% | 89.5% | 7.19 |
| ClawKeeper | 13.8% | 19.2% | 11.5% | 14.7% | 92.1% | 5.75 |
| TokenWall (Ours) | 11.1% | 15.4% | 11.5% | 12.5% | 97.4% | 0.69 |
Key Findings:
- ASR Reduction: TokenWall achieves the lowest overall Attack Success Rate (ASR) at 12.5%, outperforming the heavy remote-auditing baseline ClawKeeper (14.7%) and drastically outperforming rule-based defenses like OpenGuardrails (45.5%).
- Latency Efficiencies: On benign workloads, TokenWall introduces only 0.69 seconds of latency because the vast majority of safe flows pass through the local auditor without triggering fallback arbitration. Under attack, the end-to-end defense latency averages 16.9 seconds, as complex cases are escalated.
- Ablation Performance: As Figure 3 demonstrates, removing the local small auditor forces almost all decisions to the large arbiter, raising latency to a prohibitive 74.7 seconds per case without improving safety. Removing the fallback arbitration entirely (relying solely on the local 4B model) increases the ASR to 20.4%.
Limitations & Open Questions
While the results are strong, practitioners should note several critical limitations:
- Tiny Evaluation Footprint: CIK-Bench's attack split contains only 88 cases, and the benign evaluation comprises only 38 cases. This is a very small sample size for proving enterprise-grade robustness.
- Fail-Closed Fragility: If the local auditor encounters malformed outputs, timeouts, or invalid JSON, TokenWall defaults to a "fail-closed" blocking state. In real-world production, this could result in significant availability issues if the local model drifts or struggles with complex formatting.
- Local Auditor Quality Dependencies: The system relies heavily on the ability of a small 4B parameter model to accurately self-assess "uncertainty" and "exploitability." If the small model is confidently wrong, it will fail to escalate critical payloads.
What Practitioners Should Do
If you are building or maintaining persistent, multi-turn AI agents, follow these steps to secure your runtime:
1. Hook into the Pre-Effect Boundary
Do not audit agent actions retrospectively. Implement middleware hooks that intercept data at three specific boundaries before any backend execution occurs:
- Context boundary: Prior to writing to memory, databases, or vector stores.
- Authority boundary: Prior to changing session IDs, user roles, or permission profiles.
- Capability boundary: Prior to dispatching parameters to external tools (e.g., file writes, API requests).
2. Implement the Precheck Hard-Invariant Policy
Run deterministic string and pattern parsing before invoking any LLM auditing. Hard-block highly clear signals:
- Block any tool arguments attempting to connect to private subnets (such as
localhostand private IP ranges). - Mask credential patterns (such as standard regexes for API keys, tokens, passwords, and database connection strings) in outbound capabilities.
3. Deploy a Local Small-Model Auditor
Host a local, fine-tuned, or robustly prompted 4B-8B parameter model (such as Qwen3-4B) on your agent's local host. Prompt this model to act strictly as an auditor rather than an assistant, instructing it to output a structured JSON schema:
{
"decision": "allow | rewrite_and_continue | defer_to_human | block",
"rewrite": "string or null",
"risk": "number",
"uncertainty": "number",
"exploitability": "number",
"impact": "number",
"residual_risk_types": [
"sensitive_span | external_sink | side_effect | irreversible_action",
"authority_crossing | recipient_ambiguity | prompt_control",
"tool_induction | none"
],
"rewrite_completeness": "number",
"needs_large_review": "boolean",
"evidence": ["short input-grounded evidence strings"]
}
4. Configure Conservative Escalation Thresholds
Set strict, non-negotiable boundaries on the small model's scores to trigger remote large-model arbitration (such as Qwen3.6-Plus). Use the conservative parameters validated in this paper:
- Trigger escalation if Risk Score .
- Trigger escalation if Uncertainty .
- Trigger escalation if Rewrite Completeness .
The Takeaway
Securing long-lived AI agents requires moving away from static prompt guardrails and transitioning to adaptive runtime mediation of semantic flows. By proving that a local, hierarchical firewall can match the safety of remote large-model checkers while preserving sub-second latency for benign workflows, TokenWall provides a practical blueprint for securing the next generation of autonomous agentic systems.
Den's Take
I am glad to see researchers focusing on the actual boundary of state mutation rather than post-hoc auditing. In my previous writing on persistent control and defending agentic systems against trojans and injections, I argued that securing the execution loop of persistent agents requires active, runtime intervention before an injection escalates into long-term system control.
TokenWall’s modeling of agent actions as "token flows" () is a clean, practical framework for intercepting exploits before they write to memory or execute tools. Adding only 0.69 seconds of latency is highly tolerable for enterprise assistants, and the 97.4% benign pass rate shows they are minimizing operational friction.
However, let's be realistic about the security margins here: dropping the case-level Attack Success Rate (ASR) to 12.5% from ClawKeeper's 14.7% is a marginal, incremental gain. A double-digit successful attack rate means persistent agents remain highly vulnerable to compromise. While a local, boundary-aware semantic firewall is a step in the right direction, a 12.5% bypass rate in a production environment still represents an unacceptably wide open door for critical enterprise workflows.